# Exploit Title: PHPFox XSS AdminCP
# Date: 2014-10-22
# Exploit Author: Wesley Henrique Leite aka "spyk2r"
# Vendor Homepage: http://www.moxi9.com
# Version: All version
# CVE : CVE-2014-8469
# Response Vendor: fixed 2014-10-23 (to v4 Beta)
[+] DESCRIPTION
The system stores all urls accessed in a database table, below
information in the same 'phpfox_log_session'
[phpfox]> desc phpfox_log_session;
+---------------+----------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+---------------+----------------------+------+-----+---------+-------+
++++++++++ more values and
| user_agent | varchar(100) | NO | | NULL | |
+---------------+----------------------+------+-----+---------+-------+
the column that can be manipulated is:
-> user_agent (100)
all acess store in the system, such as bots and users wandering around the
web site, can be seen in:
AdminCP
TOOLS > Online > Guests/Boots
Output
| IP ADDRESS | User-Agent | ...
knowing this, the following code was created to inject a script into the
AdminCP with User-Agent.
$ curl -A "" \
http://www.meusite.com.br/
OR
$ curl -A "" http://www.meusite.com.br/
when any user with administrative access in.
'AdminCP'
TOOLS > Online > Guests/Boots
we have the script running in the administrative area.
[+] My Solution
(line 1.8)
1.1 --- a/module/core/template/default/controller/admincp/online-guest.html.php
Tue Oct 21 10:00:11 2014 -0200
1.2 +++ b/module/core/template/default/controller/admincp/online-guest.html.php
Tue Oct 21 12:28:39 2014 -0200
1.3 @@ -25,7 +25,7 @@
1.4 {foreach from=$aGuests key=iKey item=aGuest}
1.5
1.6 | {$aGuest.ip_address} |
1.7 - {$aGuest.user_agent} |
1.8 + {$aGuest.user_agent|strip_tags} |
1.9
1.10 |